Cybercriminals have hit more than 40 countries with hidden malware that steals passwords and financial data. The malware is not found on hard drives as it hides in the memory of compromised computers, making it almost “invisible” as criminals exfiltrate system administrators’ credentials and other sensitive data. When a targeted machine is rebooted, nearly all traces of the malware disappear.
Over 140 enterprise networks – banks, government organizations and telecommunication companies – from 40 countries have been hit, according to Kaspersky Lab. The cybercriminals are using methods and sophisticated malware previously used by nation-state attackers.
The U.S. has been the most targeted country with 21 hidden-malware attacks, followed by 10 attacks in France, nine in Ecuador, eight in Kenya, and seven in both the UK and Russia.
Because the malware manages to hide so well, and poofs after a reboot, the number of infections may be much higher.
The “attacks are ongoing globally against banks themselves,” Kaspersky Lab’s Kurt Baumgartner told Ars Technica. “The banks have not been adequately prepared in many cases to deal with this.” The attackers are “targeting computers that run automatic teller machines” in order to push “money out of the banks from within the banks.”
The attackers have embraced anti-forensic techniques to avoid detection; malware loaded to RAM instead of a hard drive helps to keep it undetected as data is being stolen and systems are being remotely controlled. The attackers have used expired domains that have no WHOIS information. By using open source and legitimate tools, the cybercriminals are making attribution nearly impossible.
Researchers from Kaspersky Lab first learned of the “fileless” malware after a bank was attacked and it helped with forensic analysis. The bank found Meterpreter code in the memory of a server; Meterpreter was not supposed to be in the physical memory of the domain controller. Digging deeper, the researchers learned that the code had been injected into memory using PowerShell commands. The PowerShell scripts were hidden within Windows registry.
It is presently unclear if the attacker is one group or if several groups are using the same tools. “Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible,” wrote Kaspersky Lab. However, the researchers noted that similar techniques have been used by the groups GCMAN and Carbanak.
Kaspersky Lab will reveal more details about the attack, as well as how the cybercriminals withdrew money from ATMs, at its Security Analyst Summit in April.
For now, Kaspersky has listed indicators of compromise; “detection of this attack would be possible in RAM, network and registry only.” After an infected machine is cleaned, all passwords must be changed. “This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.”